– The National Cyber Director is feeling more optimistic than ever how much progress the US can make in defending itself against digital threats. Why? He has seen what Ukraine has done against impossible odds – and he believes the US can follow suit.
HAPPY TUESDAY and welcome to Morning Cybersecurity! This very special issue of MC finds its way to your inbox from quiet Sea Island, Ga., where yours truly is on duty at The Cipher Brief’s 2022 Threat Conference.
I’m here with four retired stars, a bunch of current and former devils and senior executives from the business world. It’s the kind of crowd that gossips about North Korean hackers during cocktail hour and bursts into applause at the idea of overhauling the defense procurement process.
Am I having a good time? Well, I’ve met DOJ officials whose names I knew from the hacking allegations, cyber intelligence experts of APT1 knowledge, and an inspirational entrepreneur who used my face to do a fake Conan O’Brien. So yes, yes I am.
Have tips, comments or feedback for MC? Email me at [email protected]. You can also follow @POLITICOPro AND @MorningCybersec on Twitter. Full team contact information is below.
Would you like to receive this newsletter every weekday? Subscribe to For the politician. You’ll also get daily policy news and other information you need to act on the day’s biggest stories.
PROOF OF CONCEPT – It’s not known if National Cyber Director Chris Inglis took cred sitting next to your MC host on Monday morning, but it sure looks like it: When he took the stage at the Cipher Brief 2022 Threat Conference, the top official American cyber struck an optimist. Note, arguing Ukraine’s strong cyber defenses over the past eight months show that the US government can mitigate a large and growing array of cyber threats.
Speaking as his office puts the finishing touches on the country’s first national cybersecurity strategy since 2018, Inglis said Ukraine’s surprising performance on the digital battlefield has proven the U.S. can make significant progress on security. if it makes “serious” investments in digital sustainability and doesn’t. delegate digital protection to “market forces or fate.”
“If someone asked me in February 2022, I would have underestimated the strength of the defense,” said Inglis, who recalled how he once compared cyber security to a football match where two offenses could not be stopped. “Ukraine showed us some investments in digital infrastructure, in roles and responsibilities and in people skills that can pay big dividends in your ability to develop a strong defense.”
guide — Repeatedly citing the example of the automotive and aviation industries during his speech, Inglis argued that the US government needed to take a stronger regulatory role to secure the nation’s digital infrastructure.
However, Inglis was coy when asked for specifics on what such an arrangement might entail. At one point, he insisted the government would apply “the lightest possible touch” with the industry.
Definitions — Beyond the question of how to plug holes in the nation’s critical infrastructure, Inglis indicated his office is also reevaluating how the label itself is applied.
Although a useful “organizing principle,” the country’s digital dependencies do not fit well into the 16 industry verticals — such as the commercial facilities sector and the dam sector — that the government currently uses.
The future cyber strategy will address the reality that true critical infrastructure is “horizontal,” Inglis said, meaning that attacks against critical infrastructure in one sector can spread to another.
Workforce — Inglis also hinted at big changes in the way the government thinks about the country’s IT workforce.
Inglis suggested that the new national cyber strategy would address the talent shortage not only in the people who protect IT systems, but look more broadly at options for training everyday Americans to safely use digital services.
TEKU – This morning, the White House is releasing a fact sheet detailing the administration’s cybersecurity efforts so far. The MC took a sneak peek and two things caught your host’s eye.
First, the administration’s next push to secure Internet of Things devices will start with routers and home cameras. Second, starting October 31, the White House will host a group of international partners for a two-day event dedicated to ransomware.
TIME FOR A CREATION? – The government is giving up when it comes to helping the private sector tackle cyber threats – and it needs to consider new thinking, fast. That’s the consensus of a group of former government officials and current industry leaders who shared a packed stage Monday at the conference.
While they agreed that the government’s current model of working with the private sector was seriously flawed, they called for a range of competing reforms, from less regulation to more regulation.
boost – Teresa Shea, former director of Signals Intelligence at the NSA, suggested that cooperation with industry is “failing” because of a confusing mix of laws, policies and regulations that forces industry to withhold critical information.
Shea suggested the government could reverse that dynamic by providing incentives to encourage industry to share more information. She did not elaborate on what that would mean.
Repair — The harshest criticism found the voice of former CISA director Chris Krebs. “The complexity of the digital ecosystem is so overwhelming and I don’t believe we have the structure in place to regulate it,” he said.
Krebs, who recently gave a speech arguing that CISA should become an independent government agency, suggested the government create an independent advisory council that looks seven years into the future and maps out how to build “the government of today and tomorrow”.
middle ground – between Shea and Krebs, the panelists also offered more modest proposals for how the government can begin its efforts to partner with the private sector.
The government should expand the number of critical infrastructure sectors it recognizes to include cloud services and space sectors, argued Mark Montgomery, executive director of the Solarium Cyberspace Commission and its successor, CSC 2.0.
The government should focus its approach on regulating private industry’s cybersecurity, said Glenn Gerstell, former NSA general counsel, who said it “doesn’t make sense” for cyber to be “pursued” in any particular regulatory agency with own rules.
SPEED OVER SPEC – A full FBI panel during Monday’s celebration argued that U.S. law enforcement is applying a valuable lesson from its success thwarting an Iranian election meddling campaign two years ago: When you do covert hacking campaigns, sometimes it’s okay to sacrifice detail for speed.
“Country-level attribution is pretty good” when it comes to calling out state-sponsored hacking campaigns, said Cynthia Kaiser, chief of the National Cyber Security Intelligence Section. “You don’t need to get right down to the individual level,” she continued, referring to the lengthy process by which states identify the specific hacker or agency after an incident.
Deets, please — When the FBI and the Office of the National Director appeared at a surprise news conference just two weeks before the 2020 presidential election and accused Iran of targeting American voters, government officials shared fewer details than usual.
While this raised some initial questions about the credibility of the claims, it allowed the government to move with unprecedented speed and defeat an overwhelming digital threat early on.
Prior to this, the government tended to wait weeks or even months before issuing public statements revealing who it believed was the author of a particular hack.
One last thing — Asked if the emergence of several congressional candidates who dispute the results of the 2020 election would dampen the bureau’s propensity to share information, Kaiser issued a no.
“Transparency makes everyone safer,” she said. “We’ve faced hesitation and skepticism from election officials before, and we have a history of being able to push through.”
IT’S SIMPLE, DOCTOR — When it comes to privacy, consumers don’t need much. More than promises about how companies will protect their data, they want greater transparency about how their data is used, according to a consumer privacy survey conducted this morning by Cisco. Thirty-nine percent of respondents told Cisco that companies can only build trust with them by communicating how their data is used, while 21 percent said companies should refrain from selling customer data.
UNDER-USED — State CISOs from across the country are scrambling to find staff to keep pace with a growing cyber threat landscape, according to a report Monday from Deloitte and the National Association of State Chief Information Officers. The head count for state cybersecurity professionals has stagnated since 2020, even as the responsibilities of many state CISOs have increased, researchers find. As a result, more than three-fifths of state CISOs report competency gaps among their staff.
John Hultquist, vice president of intelligence analysis at Mandiant, explains why we shouldn’t panic about recent Russian DDoS activity against US airports.
Mona Harrington has been appointed assistant director for the National Risk Management Center at CISA. Harrington has worked as acting assistant director for NRMC since March.
Thursday’s newsletter incorrectly identified Matt Tait’s affiliation. Tait is now an independent cyber security expert.
— Hackers steal $100 million from Binance. (record)
— Germany’s cybersecurity chief could face dismissal over ties to Russian intelligence. (Reuters)
— Russian hackers claim credit for DDoSing websites of US airports. (Bloomberg)
— Russia cuts Internet services in Ukraine amid wider attacks on civilian infrastructure. (Netblocks)
Talk to you soon.
Stay in touch with the entire team: Eric Geller ([email protected]); Maggie Miller ([email protected]); John Sakellariadis ([email protected]); and Heidi Vogt ([email protected]).
~~~~~~
